topic Re: Can't disable windows event collection in All Apps and Add-ons

Can't disable windows event collection

grantcasey — Mon, 19 Dec 2011 21:55:54 GMT

I installed the Windows app and updated to 4.2.3 and now I can't disable any of the local event logs it is collecting - which in my case is taking up 500MB + of data a day per machine.
Any way around this? What is indexing it behind my back? I have disabled local event log collection from the Data Inputs menu, but they just keep indexing anyway...

Re: Can't disable windows event collection

araitz — Mon, 19 Dec 2011 23:18:25 GMT

It could be that the version of the app you are using uses WMI to index the local event logs by default. Disabling the WMI inputs via Manager or wmi.conf might do the trick.

Re: Can't disable windows event collection

richnavis — Mon, 13 Feb 2012 17:09:24 GMT

I have the same problem for remote event logs. Disabled collection, but they continue to collect.

Re: Can't disable windows event collection

dmaislin_splunk — Mon, 13 Feb 2012 17:24:26 GMT

Did you check all the boxes when you installed the forwarder? If so, go to the remote machine into where Splunk is installed into etc/apps. Go to the msicreated/local and see if you have inputs.conf, perfmon.conf, and wmi.conf. if you remove them and restart the forwarder it should stop. They may also be in etc/system/local too.

Re: Can't disable windows event collection

grantcasey — Mon, 13 Feb 2012 18:10:23 GMT

I had to uninstall the Windows app from my splunk instance.

Re: Can't disable windows event collection

slierninja — Thu, 22 Aug 2013 22:38:07 GMT

My universial forwarder setup the inputs.conf in the Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local path.